Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

5.8. Enrolling a Certificate on a Cisco Router

Simple Certificate Enrollment Protocol (SCEP), designed by Cisco, is a way for a router to communicate a certificate issuing authority, such as a CA, to enroll certificates for the router.
Normally, a router installer enters the CA's URL and a challenge password (also called a one-time PIN) into the router and issues a command to initiate the enrollment. The router then communicates with the CA over SCEP to generate, request, and retrieve the certificate. The router can also check the status of a pending request using SCEP.

5.8.1. Enabling SCEP Enrollments
Copiar o link

For security reasons, SCEP enrollments are disabled by default in the CA. To allow routers to be enrolled, SCEP enrollments must be manually enabled for the CA.
  1. Stop the CA server, so that you can edit the configuration files. 
    systemctl stop pki-tomcatd@instance_name.service
    Copy to Clipboard Toggle word wrap
  2. Open the CA's CS.cfg file. 
    vim /var/lib/pki/instance_name/ca/conf/CS.cfg/var/lib/pki/instance_name/ca/conf/CS.cfg/var/lib/pki/instance_name/ca/conf/CS.cfg
    Copy to Clipboard Toggle word wrap
  3. Set the ca.scep.enable to true. If the parameter is not present, then add a line with the parameter. 
    ca.scep.enable=true
    Copy to Clipboard Toggle word wrap
  4. Restart the CA server. 
    systemctl start pki-tomcatd@instance_name.service
    Copy to Clipboard Toggle word wrap

5.8.2. Configuring Security Settings for SCEP
Copiar o link

Several different parameters allow administrators to set specific security requirements for SCEP connections, such as not using the same certificate for enrollment authentication and regular certificate enrollments, or setting allowed encryption algorithms to prevent downgrading the connection strength. These parameters are listed in Table 5.2, “Configuration Parameters for SCEP Security”.
Expand
Table 5.2. Configuration Parameters for SCEP Security
Parameter Description
ca.scep.encryptionAlgorithm Sets the default or preferred encryption algorithm.
ca.scep.allowedEncryptionAlgorithms Sets a comma-separated list of allowed encryption algorithms.
ca.scep.hashAlgorithm Sets the default or preferred hash algorithm.
ca.scep.allowedHashAlgorithms Sets a comma-separated list of allowed hash algorithms.
ca.scep.nickname Gives the nickname of the certificate to use for SCEP communication. The default is to use the CA's key pair and certificate unless this parameter is set.
ca.scep.nonceSizeLimit Sets the maximum nonce size, in bytes, allowed for SCEP requests. The default is 16 bytes.
To set security settings for connections for SCEP enrollments:
  1. Stop the CA server, so that you can edit the configuration files. 
    systemctl stop pki-tomcatd@instance_name.service
    Copy to Clipboard Toggle word wrap
  2. Open the CA's CS.cfg file. 
    vim /var/lib/pki/instance_name/ca/conf/CS.cfg/var/lib/pki/instance_name/ca/conf/CS.cfg/var/lib/pki/instance_name/ca/conf/CS.cfg
    Copy to Clipboard Toggle word wrap
  3. Set the desired security parameters, as listed in Table 5.2, “Configuration Parameters for SCEP Security”. If the parameter is not already present, then add it to the CS.cfg file. 
    ca.scep.encryptionAlgorithm=DES3
ca.scep.allowedEncryptionAlgorithms=DES3
ca.scep.hashAlgorithm=SHA1
ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512
ca.scep.nickname=Server-Cert
ca.scep.nonceSizeLimit=20
    Copy to Clipboard Toggle word wrap
  4. Restart the CA server. 
    systemctl start pki-tomcatd@instance_name.service
    Copy to Clipboard Toggle word wrap

5.8.3. Configuring a Router for SCEP Enrollment
Copiar o link

Note

Not all versions of router IOS have the relevant crypto features. Make sure that the firmware image has the Certification Authority Interoperability feature. Certificate System SCEP support was tested on a Cisco 2611 router running IOS C2600 Software (C2600-JK9S-M), version 12.2(40), RELEASE SOFTWARE (fc1).
Before enrolling SCEP certificates on the router, make sure that the router is appropriately configured:
  • The router must be configured with an IP address, DNS server, and routing information.
  • The router's date/time must be correct.
  • The router's hostname and dnsname must be configured.
See the router documentation for instructions on configuring the router hardware.

5.8.4. Generating the SCEP Certificate for a Router
Copiar o link

The following procedure details how to generate the SCEP certificate for a router.
  1. Pick a random PIN.
  2. Add the PIN and the router's ID to the flatfile.txt file so that the router can authenticate directly against the CA. For example: 
    vim /var/lib/pki/instance_name/ca/conf/flatfile.txt

UID:172.16.24.238
PWD:Uojs93wkfd0IS
    Copy to Clipboard Toggle word wrap
    Be sure to insert an empty line after the PWD line.
    The router's IP address can be an IPv4 address or an IPv6 address.
    Using flat file authentication is described in Section 9.2.4, “Configuring Flat File Authentication”.
  3. Log into the router's console. For this example, the router's name is scep: 
    scep>
    Copy to Clipboard Toggle word wrap
  4. Enable privileged commands. 
    scep> enable
    Copy to Clipboard Toggle word wrap
  5. Enter configuration mode. 
    scep# conf t
    Copy to Clipboard Toggle word wrap
  6. Import the CA certificate for every CA in the certificate chain, starting with the root. For example, the following command sequence imports two CA certificates in the chain into the router: 
    scep(config)# crypto ca trusted-root1
scep(ca-root)# root CEP http://server.example.com:8080/ca/cgi-bin/pkiclient.exe
scep(ca-root)# crl optional
scep(ca-root)# exit
scep(config)# cry ca authenticate 1
scep(config)# crypto ca trusted-root0
scep(ca-root)# root CEP http://server.example.com:8080/ca/cgi-bin/pkiclient.exe
scep(ca-root)# crl optional
scep(ca-root)# exit
scep(config)# cry ca authenticate 0
    Copy to Clipboard Toggle word wrap
  7. Set up a CA identity, and enter the URL to access the SCEP enrollment profile. For example, for the CA: 
    scep(config)# crypto ca identity CA
scep(ca-identity)# enrollment url http://server.example.com:8080/ca/cgi-bin
scep(ca-identity)# crl optional
    Copy to Clipboard Toggle word wrap
  8. Get the CA's certificate. 
    scep(config)# crypto ca authenticate CA
Certificate has the following attributes:
Fingerprint: 145E3825 31998BA7 F001EA9A B4001F57
% Do you accept this certificate? [yes/no]: yes
    Copy to Clipboard Toggle word wrap
  9. Generate RSA key pair. 
    scep(config)# crypto key generate rsa
The name for the keys will be: scep.server.example.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]:
Generating RSA keys ...
[OK]
    Copy to Clipboard Toggle word wrap
  10. Lastly, generate the certificate on the router. 
    scep(config)# crypto ca enroll CA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.

Password: secret
Re-enter password: secret

% The subject name in the certificate will be: scep.server.example.com
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: 57DE391C
% Include an IP address in the subject name? [yes/no]: yes
% Interface: Ethernet0/0
% Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
% The 'show crypto ca certificate' command will also show the fingerprint.

% Fingerprint:D89DB555 E64CC2F7 123725B4 3DBDF263

Jan 12 13:41:17.348: %CRYPTO-6-CERTRET: Certificate received from Certificate
    Copy to Clipboard Toggle word wrap
  11. Close configuration mode. 
     scep(config)# exit
    Copy to Clipboard Toggle word wrap
  12. To make sure that the router was properly enrolled, list all of the certificates stored on the router. 
    scep# show crypto ca certificates
Certificate
 Status: Available
 Certificate Serial Number: 0C
 Key Usage: General Purpose
 Issuer:
	CN = Certificate Authority
	 O = Sfbay Red hat Domain 20070111d12
 Subject Name Contains:
	Name: scep.server.example.com
	IP Address: 10.14.1.94
	Serial Number: 57DE391C
 Validity Date:
	start date: 21:42:40 UTC Jan 12 2007
	end date: 21:49:50 UTC Dec 31 2008
 Associated Identity: CA

CA Certificate
 Status: Available
 Certificate Serial Number: 01
 Key Usage: Signature
 Issuer:
	CN = Certificate Authority
	 O = Sfbay Red hat Domain 20070111d12
 Subject:
	CN = Certificate Authority
	 O = Sfbay Red hat Domain 20070111d12
 Validity Date:
	start date: 21:49:50 UTC Jan 11 2007
	end date: 21:49:50 UTC Dec 31 2008
 Associated Identity: CA
    Copy to Clipboard Toggle word wrap

5.8.5. Working with Subordinate CAs
Copiar o link

Before a router can authenticate to a CA, every CA certificate in the CA's certificate chain must be imported into the router, starting with the root. For example, the following command sequence imports two CA certificates in the chain into the router: 
scep(config)# crypto ca trusted-root1
scep(ca-root)# root CEP http://server.example.com:8080/ca/cgi-bin/pkiclient.exe
scep(ca-root)# crl optional
scep(ca-root)# exit
scep(config)# cry ca authenticate 1
scep(config)# crypto ca trusted-root0
scep(ca-root)# root CEP http://server.example.com:8080/ca/cgi-bin/pkiclient.exe
scep(ca-root)# crl optional
scep(ca-root)# exit
scep(config)# cry ca authenticate 0
Copy to Clipboard Toggle word wrap
If the CA certificates do not have the CRL distribution point extension set, turn off the CRL requirement by setting it to optional: 
scep(ca-root)# crl optional
Copy to Clipboard Toggle word wrap
After that, set up the CA identity as described in Section 5.8.4, “Generating the SCEP Certificate for a Router”.

5.8.6. Re-enrolling a Router
Copiar o link

Before a router can be re-enrolled with new certificates, the existing configuration has to be removed.
  1. Remove (zeroize) the existing keys. 
    scep(config)# crypto key zeroize rsa
% Keys to be removed are named scep.server.example.com.
Do you really want to remove these keys? [yes/no]: yes
    Copy to Clipboard Toggle word wrap
  2. Remove the CA identity. 
    scep(config)# no crypto ca identity CA
% Removing an identity will destroy all certificates received from
the related Certificate Authority.

Are you sure you want to do this? [yes/no]: yes
% Be sure to ask the CA administrator to revoke your certificates.

No enrollment sessions are currently active.
    Copy to Clipboard Toggle word wrap

5.8.7. Enabling Debugging
Copiar o link

The router provides additional debugging during SCEP operations by enabling the debug statements. 
 scep# debug crypto pki callbacks
 Crypto PKI callbacks debugging is on

 scep# debug crypto pki messages
 Crypto PKI Msg debugging is on

 scep# debug crypto pki transactions
 Crypto PKI Trans debugging is on

 scep#debug crypto verbose
 verbose debug output debugging is on
Copy to Clipboard Toggle word wrap

5.8.8. Issuing ECC Certificates with SCEP
Copiar o link

By default, an ECC CA does not support SCEP out of box. However, it is possible to work around it by using a designated RSA certificate to handle each of the following two areas:
  • encryption/decryption cert - designate an RSA cert having encryption/decryption capability; (scepRSAcert in the following example)
  • signature cert - get an RSA cert to use on the client side for signing purpose instead of self-signed; (signingCert cert in the following example)
For example, with scepRSAcert cert being the encrypt/decrypt cert, and signingCert being the signing cert: 
sscep enroll -c ca.crt -e scepRSAcert.crt -k local.key -r local.csr -K sign.key -O sign.crt -E 3des -S sha256 -l cert.crt -u '​http://example.example.com:8080/ca/cgi-bin/pkiclient.exe'
Copy to Clipboard Toggle word wrap
Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat